Merge branch 'feat/add-process-based-exceptions-to-drift-policies' of https://github.com/sysdiglabs/terraform-provider-sysdig into feat/add-process-based-exceptions-to-drift-policies

Author: IgorEulalio

examples/serverless-agent/fargate/workload-legacy/README.md

@@ -0,0 +1,30 @@
+# Workload with Serverless Workload Agent
+
+This example deploys a cluster with a workload and the Serverless Workload Agent as a sidecar to secure the workload.
+
+The Workload Agent will use an Orchestrator Agent as a proxy to the Sysdig Collector.
+
+## Prerequisites
+
+The following prerequisites are required to deploy this cluster:
+- Orchestrator Agent deployed
+- VPC
+- 2 subnets
+
+## Components
+
+The cluster will be called `<prefix>-instrumented-workload` and will deploy the following:
+- 1 Service (called `<prefix-instrumented-service`)
+  - 1 Task with 2 replicas, each running:
+    - 1 container named `event-gen-1` running `falcosecurity/event-generator`
+    - 1 container named `event-gen-2` also running `falcosecurity/event-generator`
+    - 1 container named `SysdigInstrumentation` running the latest Workload Agent which will secure both workload containers
+
+## Layout
+| **File** | **Purpose** |
+| --- | --- |
+| `instrumented_load.tf` | Workload definition. By default it instruments `falcosecurity/event-generator` |
+| `main.tf` | AWS provider configuration |
+| `output.tf` | Defines the output variables |
+| `variables.tf` | AWS and Agent configuration |
+| `versions.tf` | Defines TF provider versions |

examples/serverless-agent/fargate/workload-legacy/instrumented_load.tf

@@ -0,0 +1,145 @@
+data "sysdig_fargate_workload_agent" "containers_instrumented" {
+  container_definitions = jsonencode([
+    {
+      "name" : "event-gen-1",
+      "image" : "falcosecurity/event-generator",
+      "command" : ["run", "syscall", "--all", "--loop"],
+      "logConfiguration" : {
+        "logDriver" : "awslogs",
+        "options" : {
+          "awslogs-group" : aws_cloudwatch_log_group.instrumented_logs.name,
+          "awslogs-region" : var.region,
+          "awslogs-stream-prefix" : "task"
+        },
+      }
+    },
+    {
+      "name" : "event-gen-2",
+      "image" : "falcosecurity/event-generator",
+      "command" : ["run", "syscall", "--all", "--loop"],
+      "logConfiguration" : {
+        "logDriver" : "awslogs",
+        "options" : {
+          "awslogs-group" : aws_cloudwatch_log_group.instrumented_logs.name,
+          "awslogs-region" : var.region,
+          "awslogs-stream-prefix" : "task"
+        },
+      }
+    }
+  ])
+
+  workload_agent_image = var.agent_workload_image
+
+  sysdig_access_key = var.access_key
+  orchestrator_host = var.orchestrator_host
+  orchestrator_port = var.orchestrator_port
+
+  log_configuration {
+    group         = aws_cloudwatch_log_group.instrumented_logs.name
+    stream_prefix = "instrumentation"
+    region        = var.region
+  }
+}
+
+resource "aws_ecs_task_definition" "task_definition" {
+  family             = "${var.prefix}-instrumented-task-definition"
+  task_role_arn      = aws_iam_role.task_role.arn
+  execution_role_arn = aws_iam_role.execution_role.arn
+
+  cpu                      = "256"
+  memory                   = "512"
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+  pid_mode                 = "task"
+
+  container_definitions = data.sysdig_fargate_workload_agent.containers_instrumented.output_container_definitions
+}
+
+
+resource "aws_ecs_cluster" "cluster" {
+  name = "${var.prefix}-instrumented-workload"
+}
+
+resource "aws_cloudwatch_log_group" "instrumented_logs" {
+}
+
+data "aws_iam_policy_document" "assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "execution_role" {
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
+
+  managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"]
+}
+
+resource "aws_iam_role" "task_role" {
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
+
+  inline_policy {
+    name   = "root"
+    policy = data.aws_iam_policy_document.task_policy.json
+  }
+}
+
+data "aws_iam_policy_document" "task_policy" {
+  statement {
+    actions = [
+      "ecr:GetAuthorizationToken",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:BatchGetImage",
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+
+    resources = ["*"]
+  }
+}
+
+resource "aws_ecs_service" "service" {
+  name = "${var.prefix}-instrumented-service"
+
+  cluster          = aws_ecs_cluster.cluster.id
+  task_definition  = aws_ecs_task_definition.task_definition.arn
+  desired_count    = var.replicas
+  launch_type      = "FARGATE"
+  platform_version = "1.4.0"
+
+  network_configuration {
+    subnets          = [var.subnet_1, var.subnet_2]
+    security_groups  = [aws_security_group.security_group.id]
+    assign_public_ip = true
+  }
+}
+
+resource "aws_security_group" "security_group" {
+  description = "${var.prefix}-security-group"
+  vpc_id      = var.vpc_id
+}
+
+resource "aws_security_group_rule" "orchestrator_agent_ingress_rule" {
+  type              = "ingress"
+  protocol          = "tcp"
+  from_port         = 0
+  to_port           = 0
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.security_group.id
+}
+
+resource "aws_security_group_rule" "orchestrator_agent_egress_rule" {
+  type              = "egress"
+  protocol          = "all"
+  from_port         = 0
+  to_port           = 0
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.security_group.id
+}

examples/serverless-agent/fargate/workload-legacy/output.tf

@@ -0,0 +1,15 @@
+output "workload_cluster_name" {
+  value = aws_ecs_cluster.cluster.name
+}
+
+output "workload_cluster_arn" {
+  value = aws_ecs_cluster.cluster.arn
+}
+
+output "service_arn" {
+  value = aws_ecs_service.service.id
+}
+
+output "task_revision" {
+  value = aws_ecs_task_definition.task_definition.revision
+}

examples/serverless-agent/fargate/workload-legacy/providers.tf

@@ -0,0 +1,4 @@
+provider "aws" {
+  region = var.region
+  profile = var.profile
+}

examples/serverless-agent/fargate/workload-legacy/variables.tf

@@ -0,0 +1,56 @@
+# AWS configuration
+variable "prefix" {
+  description = "All resources created by Terraform have this prefix prepended to them"
+}
+
+variable "profile" {
+  description = "AWS profile name"
+  type        = string
+}
+
+variable "region" {
+  description = "AWS Region for deployment"
+  default     = "us-east-1"
+}
+
+variable "subnet_1" {
+  description = "Subnet-1 Id"
+}
+
+variable "subnet_2" {
+  description = "Subnet-2 Id"
+}
+
+variable "vpc_id" {
+  description = "VPC Id"
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "Tags to assign to resources in module"
+  default     = {}
+}
+
+variable "replicas" {
+  description = "Number of workload replicas to run"
+  default     = 2
+}
+
+# Serverless Agent Configuration
+variable "access_key" {
+  description = "Sysdig Agent access key"
+}
+
+variable "agent_workload_image" {
+  description = "Workload agent container image"
+  default     = "quay.io/sysdig/workload-agent:latest"
+}
+
+variable "orchestrator_host" {
+  description = "Orchestrator Host"
+}
+
+variable "orchestrator_port" {
+  description = "Orchestrator Port"
+  default     = 6667
+}

examples/serverless-agent/fargate/workload-legacy/versions.tf

@@ -0,0 +1,18 @@
+terraform {
+  required_version = ">=1.7.2"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.35.0"
+    }
+    local = {
+      source  = "hashicorp/local"
+      version = "~> 2.4.1"
+    }
+    sysdig = {
+      source  = "sysdiglabs/sysdig"
+      version = "~> 1.24.5"
+    }
+  }
+}

examples/serverless-agent/fargate/workload/README.md

@@ -2,21 +2,22 @@
 
 This example deploys a cluster with a workload and the Serverless Workload Agent as a sidecar to secure the workload.
 
+The Workload Agent will directly connect to the Sysdig Collector.
+
 ## Prerequisites
 
 The following prerequisites are required to deploy this cluster:
-- Orchestrator Agent deployed
 - VPC
 - 2 subnets
 
 ## Components
 
 The cluster will be called `<prefix>-instrumented-workload` and will deploy the following:
 - 1 Service (called `<prefix-instrumented-service`)
-  - 1 Task (with the latest version of the Serverless Orchestrator Agent)
+  - 1 Task with 2 replicas, each running:
     - 1 container named `event-gen-1` running `falcosecurity/event-generator`
     - 1 container named `event-gen-2` also running `falcosecurity/event-generator`
-    - 1 container named `SysdigInstrumentation` running the Workload Agent which will secure both workload containers
+    - 1 container named `SysdigInstrumentation` running the latest Workload Agent which will secure both workload containers
 
 ## Layout
 | **File** | **Purpose** |

examples/serverless-agent/fargate/workload/instrumented_load.tf

@@ -31,8 +31,8 @@ data "sysdig_fargate_workload_agent" "containers_instrumented" {
   workload_agent_image = var.agent_workload_image
 
   sysdig_access_key = var.access_key
-  orchestrator_host = var.orchestrator_host
-  orchestrator_port = var.orchestrator_port
+  collector_host    = var.collector_host
+  collector_port    = var.collector_port
 
   log_configuration {
     group         = aws_cloudwatch_log_group.instrumented_logs.name

examples/serverless-agent/fargate/workload/variables.tf

@@ -31,6 +31,11 @@ variable "tags" {
   default     = {}
 }
 
+variable "replicas" {
+  description = "Number of workload replicas to run"
+  default     = 2
+}
+
 # Serverless Agent Configuration
 variable "access_key" {
   description = "Sysdig Agent access key"
@@ -41,16 +46,11 @@ variable "agent_workload_image" {
   default     = "quay.io/sysdig/workload-agent:latest"
 }
 
-variable "orchestrator_host" {
-  description = "Orchestrator Host"
+variable "collector_host" {
+  description = "Collector Host"
 }
 
-variable "orchestrator_port" {
-  description = "Orchestrator Port"
-  default     = 6667
-}
-
-variable "replicas" {
-  description = "Number of workload replicas to run"
-  default     = 2
+variable "collector_port" {
+  description = "Collector Port"
+  default     = 6443
 }

sysdig/data_source_sysdig_monitor_notification_channel_ibm_function_test.go

@@ -754,10 +754,11 @@ resource "sysdig_secure_cloud_auth_account" "sample" {
 		  oci = {
 			api_key = {
 			  user_id = "user-id"
+#			  region = "region"
+			}
+			policy = {
+			 policy_id = "policy-id"
 			}
-#			policy = {
-#			 policy_id = "policy-id"
-#			}
 		  }
 		})
 	  }

sysdig/internal/client/v2/cloudauth/go/cloud_account.pb.go

@@ -8,32 +8,33 @@ description: |-
 
 # Data Source: fargate_workload_agent
 
-Updates the fargate workload definition to add a [Sysdig Agent](https://docs.sysdig.com/en/docs/installation/serverless-agents/aws-fargate-serverless-agents/)
+Updates the ECS Fargate Container Definitions to add a [Sysdig Workload Agent](https://docs.sysdig.com/en/docs/installation/serverless-agents/aws-fargate-serverless-agents/)
 
 -> **Note:** Sysdig Terraform Provider is under rapid development at this point. If you experience any issue or discrepancy while using it, please make sure you have the latest version. If the issue persists, or you have a Feature Request to support an additional set of resources, please open a [new issue](https://github.com/sysdiglabs/terraform-provider-sysdig/issues/new) in the GitHub repository.
 
-You'll need to connect the Sysdig Agent to the Sysdig backend through an orchestrator. For details about how to deploy an orchestrator check the [Sysdig Orchestrator module](https://registry.terraform.io/modules/sysdiglabs/fargate-orchestrator-agent/aws/latest).
+The Sysdig Workload Agent will need to connect to the Sysdig Collector. Find your region's collector endpoint here: https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/.
 
 ## Example Usage
 
 ```terraform
 data "sysdig_fargate_workload_agent" "instrumented_containers" {
   container_definitions = "[]"
 
-  image_auth_secret    = ""
   workload_agent_image = "quay.io/sysdig/workload-agent:latest"
-  
-  orchestrator_host    = module.fargate-orchestrator-agent.orchestrator_host
-  orchestrator_port    = module.fargate-orchestrator-agent.orchestrator_port
+
+  collector_host    = var.collector_host
+  collector_port    = var.collector_port
+  sysdig_access_key = var.sysdig_access_key
 }
 ```
 
 ## Argument Reference
 
 * `container_definitions` - (Required) The input Fargate container definitions to instrument with the Sysdig workload agent.
-* `orchestrator_host` - (Required) The orchestrator host to connect to.
-* `orchestrator_port` - (Required) The orchestrator port to connect to.
 * `workload_agent_image` - (Required) The Sysdig workload agent image.
+* `collector_host` - (Required) The Sysdig Collector host to connect to.
+* `collector_port` - (Required) The Sysdig Collector port.
+* `sysdig_access_key` - (Required) The Sysdig Agent access key, available in the Sysdig Secure UI.
 * `image_auth_secret` - (Optional) The registry authentication secret.
 * `log_configuration` - (Optional) Configuration for the awslogs driver on the instrumentation container. All three values must be specified if instrumentation logging is desired:
   * `group` - The name of the existing log group for instrumentation logs